• Balbir Singh's avatar
    mm owner: fix race between swapoff and exit · 553d7dd7
    Balbir Singh authored
    [Here's a backport of 2.6.27-rc8's 31a78f23
     to 2.6.26 or 2.6.26.5: I wouldn't trouble -stable for the (root only)
     swapoff case which uncovered the bug, but the /proc/<pid>/<mmstats> case
     is open to all, so I think worth plugging in the next 2.6.26-stable.
     - Hugh]
    
    
    There's a race between mm->owner assignment and swapoff, more easily
    seen when task slab poisoning is turned on.  The condition occurs when
    try_to_unuse() runs in parallel with an exiting task.  A similar race
    can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
    or ptrace or page migration.
    
    CPU0                                    CPU1
                                            try_to_unuse
                                            looks at mm = task0->mm
                                            increments mm->mm_users
    task 0 exits
    mm->owner needs to be updated, but no
    new owner is found (mm_users > 1, but
    no other task has task->mm = task0->mm)
    mm_update_next_owner() leaves
                                            mmput(mm) decrements mm->mm_users
    task0 freed
                                            dereferencing mm->owner fails
    
    The fix is to notify the subsystem via mm_owner_changed callback(),
    if no new owner is found, by specifying the new task as NULL.
    
    Jiri Slaby:
    mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
    must be set after that, so as not to pass NULL as old owner causing oops.
    
    Daisuke Nishimura:
    mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
    and its callers need to take account of this situation to avoid oops.
    
    Hugh Dickins:
    Lockdep warning and hang below exec_mmap() when testing these patches.
    exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
    so exec_mmap() now needs to do the same.  And with that repositioning,
    there's now no point in mm_need_new_owner() allowing for NULL mm.
    Reported-by: default avatarHugh Dickins <hugh@veritas.com>
    Signed-off-by: default avatarBalbir Singh <balbir@linux.vnet.ibm.com>
    Signed-off-by: default avatarJiri Slaby <jirislaby@gmail.com>
    Signed-off-by: default avatarDaisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
    Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Paul Menage <menage@google.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    553d7dd7
exec.c 40.5 KB